Setting the listen address doesn't really block access to CLI from other subnets....as long as client knows the correct IP. A VLAN_IN ruleset is always required.
The mentioned access list has a major flaw: It also blocks clients DHCP requests to the edgerouter. Make sure to allow them too (UDP dest port 67). Also, being able to ping the GW also can be usefull in troubleshooting, normally I allow that too.
